Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 579734 (CVE-2016-4001, CVE-2016-4002)

Summary: <app-emulation/qemu-2.7.0: net: buffer overflow in MIPSnet emulator (CVE-2016-{4001,4002})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: qemu+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01131.html
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1326082
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 592430    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-04-12 13:06:48 UTC 
From ${URL} :

Qemu emulator built with the MIPSnet controller emulator is vulnerable to a
buffer overflow issue. It could occur while receiving network packets in
mipsnet_receive(), if the guest NIC is configured to accept large(MTU) packets.

A remote user/process could use this flaw to crash Qemu resulting in DoS; OR potentially execute 
arbitrary code with privileges of the Qemu process on a host.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01131.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2016/04/11/6


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-04-23 17:52:38 UTC 
still not in upstream, but doesn't seem like a big deal ... doesn't seem like anyone really uses this network device
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-06-30 23:30:10 UTC 
CVE-2016-4002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4002):
  Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU,
  when the guest NIC is configured to accept large packets, allows remote
  attackers to cause a denial of service (memory corruption and QEMU crash) or
  possibly execute arbitrary code via a packet larger than 1514 bytes.

CVE-2016-4001 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4001):
  Buffer overflow in the stellaris_enet_receive function in
  hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is
  configured to accept large packets, allows remote attackers to cause a
  denial of service (QEMU crash) via a large packet.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 23:40:19 UTC 
(In reply to GLSAMaker/CVETool Bot from comment #2)
> CVE-2016-4002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4002):
>   Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in
> QEMU,
>   when the guest NIC is configured to accept large packets, allows remote
>   attackers to cause a denial of service (memory corruption and QEMU crash)
> or
>   possibly execute arbitrary code via a packet larger than 1514 bytes.
> 

Patch is in master right now so hopefully on the next release:

http://git.qemu.org/?p=qemu.git;a=commit;h=3af9187fc6caaf415ab9c0c6d92c9678f65cb17f

> CVE-2016-4001 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4001):
>   Buffer overflow in the stellaris_enet_receive function in
>   hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is
>   configured to accept large packets, allows remote attackers to cause a
>   denial of service (QEMU crash) via a large packet.

Same here... patch is in master as well:

http://git.qemu.org/?p=qemu.git;a=commit;h=3a15cc0e1ee7168db0782133d2607a6bfa422d66
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-07-01 00:46:27 UTC 
(In reply to Aaron Bauman from comment #3)
> (In reply to GLSAMaker/CVETool Bot from comment #2)
> > CVE-2016-4002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4002):
> >   Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in
> > QEMU,
> >   when the guest NIC is configured to accept large packets, allows remote
> >   attackers to cause a denial of service (memory corruption and QEMU crash)
> > or
> >   possibly execute arbitrary code via a packet larger than 1514 bytes.
> > 
> 
> Patch is in master right now so hopefully on the next release:
> 
> http://git.qemu.org/?p=qemu.git;a=commit;
> h=3af9187fc6caaf415ab9c0c6d92c9678f65cb17f

This did not make it into 2.6.0 release.

> 
> > CVE-2016-4001 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4001):
> >   Buffer overflow in the stellaris_enet_receive function in
> >   hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is
> >   configured to accept large packets, allows remote attackers to cause a
> >   denial of service (QEMU crash) via a large packet.
> 
> Same here... patch is in master as well:
> 
> http://git.qemu.org/?p=qemu.git;a=commit;
> h=3a15cc0e1ee7168db0782133d2607a6bfa422d66

This one is good, sorry.
Comment 5 Matthias Maier gentoo-dev 2016-09-05 05:34:31 UTC 
Fixed in at least version 2.7.0. Stabilization of 2.7.0 in #592430

commit 671df1de7a8611d59307ffcd448af451c15003ed
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Sun Sep 4 23:25:32 2016 -0500

    app-emulation/qemu: version bump to 2.7.0, various security fixes
    
    3af9187fc6caaf415ab9c0c6d92c9678f65cb17f -> CVE-2016-4001, bug #579734
    3a15cc0e1ee7168db0782133d2607a6bfa422d66 -> CVE-2016-4002, bug #579734
    c98c6c105f66f05aa0b7c1d2a4a3f716450907ef -> CVE-2016-4439, bug #583496
    6c1fef6b59563cc415f21e03f81539ed4b33ad90 -> CVE-2016-4441, bug #583496
    06630554ccbdd25780aa03c3548aaff1eb56dffd ->              , bug #583952
    844864fbae66935951529408831c2f22367a57b6 -> CVE-2016-5337, bug #584094
    b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2 ->              , bug #584102
    1b85898025c4cd95dce673d15e67e60e98e91731 ->              , bug #584146
    521360267876d3b6518b328051a2e56bca55bef8 -> CVE-2016-4453, bug #584514
    4e68a0ee17dad7b8d870df0081d4ab2e079016c2 -> CVE-2016-4454, bug #584514
    a6b3167fa0e825aebb5a7cd8b437b6d41584a196 -> CVE-2016-5126, bug #584630
    ff589551c8e8e9e95e211b9d8daafb4ed39f1aec -> CVE-2016-5338, bug #584918
    d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a -> CVE-2016-5238, bug #584918
    1e7aed70144b4673fc26e73062064b6724795e5f ->              , bug #589924
    afd9096eb1882f23929f5b5c177898ed231bac66 -> CVE-2016-5403, bug #589928
    eb700029c7836798046191d62d595363d92c84d4 -> CVE-2016-6835, bug #591244
    ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05 -> CVE-2016-6834, bug #591374
    6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8 -> CVE-2016-6833, bug #591380
    47882fa4975bf0b58dd74474329fdd7154e8f04c -> CVE-2016-6888, bug #591678
    
    805b5d98c649d26fc44d2d7755a97f18e62b438a
    56f101ecce0eafd09e2daf1c4eeb1377d6959261
    fff39a7ad09da07ef490de05c92c91f22f8002f2 ->              , bug #592430
    
    Package-Manager: portage-2.2.28
Comment 6 Matthias Maier gentoo-dev 2016-09-05 06:07:10 UTC 
*** Bug 579614 has been marked as a duplicate of this bug. ***
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-09-26 00:36:31 UTC 
This issue was resolved and addressed in
 GLSA 201609-01 at https://security.gentoo.org/glsa/201609-01
by GLSA coordinator Yury German (BlueKnight).